Академический Документы
Профессиональный Документы
Культура Документы
Policy summary
This policy specifies an information security awareness and training program to inform and motivate
all workers regarding their information risk, security, privacy and related obligations.
Applicability
This policy applies throughout the organization as part of the corporate governance framework. It
applies regardless of whether or not workers use the computer systems and networks, since
workers are expected to protect all forms of information asset including computer data, written
materials/paperwork and intangible forms of knowledge and experience. This policy also applies to
third-party employees working for the organization whether they are explicitly bound (e.g. by
contractual terms and conditions) or implicitly bound (e.g. by generally held standards of ethics and
acceptable behavior) to comply with our information security policies.
Policy detail
Background
Technical IT security (cybersecurity) controls are a vital part of our information security framework
but are not in themselves sufficient to secure all our information assets. Effective information
security also requires the awareness and proactive support of all workers, supplementing and
making full use of the technical security controls. This is obvious in the case of social engineering
attacks and frauds, for example, which directly target vulnerable humans rather than IT and network
systems.
Lacking adequate information security awareness, workers are less likely to recognize or react
appropriately to information security threats and incidents and are more likely to place information
in danger through ignorance and carelessness.
Whereas ‘awareness’ implies a basic level of understanding about a broad range of information
security matters, ‘training’ implies more narrowly-focused and detailed attention to one or more
specific topics. Training tends to be delivered through classroom or online courses, while awareness
tends to be delivered by multiple communications methods such as seminars, case studies, written
briefing and reference materials (for self-motivated study), posters and conversations. Awareness
provides the foundation level of knowledge and understanding for training to build upon. In other
words, security awareness and training are complementary approaches.
Item Relevance
These amplify and explain the information security policies,
Information security standards,
providing greater detail on particular topics and/or pragmatic
procedures and guidelines
advice for particular audiences
A broad range of information security awareness and training
materials is available from the Security Zone or from
Information security
Information Security, covering both general security matters
awareness and training
and more specific security topics; the materials are proactively
materials
maintained to maintain relevant to the ever-changing
information security risk and control landscape
Further information
For general advice on information risk and security matters, speak to your manager, contact the
Help Desk or browse the intranet Security Zone. Contact Information Security or Human Resources
for more specific advice and assistance.